1332141 – Heap Overflow bug in update_entry().

Bug 1332141 - Heap Overflow bug in update_entry().

Summary: Heap Overflow bug in update_entry().

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libdwarf
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Tom Hughes
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-02 11:13 UTC by lieanu
Modified:	2016-05-12 16:13 UTC (History)
CC List:	2 users (show)
Fixed In Version:	libdwarf-20160507-1.fc24
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-12 16:13:52 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Heap Overflow test file (2.81 KB, application/x-object) 2016-05-02 11:13 UTC, lieanu	no flags	Details
View All

Description lieanu 2016-05-02 11:13:51 UTC

Created attachment 1152899 [details]
Heap Overflow test file

Hi,

I have informed this bug to upstream, reporting it here just for bug tracking, thanks.

Heap Overflow in lastest libdwarf git code.

In file dwarf_elf_access.c:1071

WRITE_UNALIGNED(dbg,target_section + offset,
     &outval,sizeof(outval),reloc_size);

A crafted ELF file may lead to a large offset value, which bigger than the size of target_section heap chunk, then this WRITE_UNALIGNED() function will write the value of &outval out of the heap chunk. 
offset is a 64bit unsgined int value, so this is more than a heap overflow bug, but also a Out-of-Bound write bug. 
So WRITE_UNALIGNED() need more strictly checking to prevent this.

A example as follow:

*** Error in `/mnt/hgfs/lieanu/tools/AFL_fuzzer/workspace/new_dwarf_bugs/dwarfdump': free(): invalid next size (fast): 0x000000000065b540 ***

gef> bt
#0  0x00002aaaab16ecc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00002aaaab1720d8 in __GI_abort () at abort.c:89
#2  0x00002aaaab1ab394 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x2aaaab2b9b28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00002aaaab1b766e in malloc_printerr (ptr=<optimized out>, str=0x2aaaab2b9cc8 "free(): invalid next size (fast)", action=1) at malloc.c:4996
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
#5  0x000000000040dfb1 in esb_destructor (data=data@entry=0x7fffffffd4a0) at esb.c:252
#6  0x00000000004144ed in print_attribute (dbg=dbg@entry=0x654ea0, die=die@entry=0x65ab40, dieprint_cu_goffset=dieprint_cu_goffset@entry=11, attr=<optimized out>, attr_in=<optimized out>, print_information=print_information@entry=1, die_indent_level=<optimized out>, die_indent_level@entry=0, srcfiles=srcfiles@entry=0x65b450, cnt=cnt@entry=1) at print_die.c:3109
#7  0x0000000000416f38 in print_one_die (dbg=dbg@entry=0x654ea0, die=die@entry=0x65ab40, dieprint_cu_goffset=dieprint_cu_goffset@entry=11, print_information=1, die_indent_level=0, srcfiles=srcfiles@entry=0x65b450, cnt=cnt@entry=1, ignore_die_stack=ignore_die_stack@entry=0) at print_die.c:1447
#8  0x0000000000417610 in print_die_and_children_internal (dbg=dbg@entry=0x654ea0, in_die_in=0x65ab40, dieprint_cu_goffset=11, is_info=is_info@entry=1, srcfiles=0x65b450, cnt=1) at print_die.c:1036
#9  0x0000000000418689 in print_die_and_children (cnt=<optimized out>, srcfiles=<optimized out>, is_info=1, dieprint_cu_goffset=<optimized out>, in_die_in=<optimized out>, dbg=0x654ea0) at print_die.c:910
#10 print_one_die_section (dbg=0x654ea0, is_info=is_info@entry=1, pod_err=pod_err@entry=0x7fffffffdb38) at print_die.c:820
#11 0x0000000000418d41 in print_infos (dbg=<optimized out>, is_info=is_info@entry=1) at print_die.c:371
#12 0x0000000000406fca in process_one_file (l_config_file_data=0x63bda0 <g_config_file_data>, archive=0, tied_file_name=0x0, file_name=0x654030 "collect_dir/crash1", elftied=0x0, elf=<optimized out>) at dwarfdump.c:1352
#13 main (argc=<optimized out>, argv=<optimized out>) at dwarfdump.c:645


gef> p *(mchunkptr)main_arena.top
$24 = struct malloc_chunk {
prev_size   = 0x0
size        = 0x500000009ab1
fd          = 0x0
bk          = 0x0
fd_nextsize = 0x0
bk_nextsize = 0x0

gef> p/x main_arena.system_mem 
$27 = 0x21000

The size (0x500000009ab1) of main_arena.top is corrupted, which is larger than the system_mem:0x21000 of main_arena, so a free(): invalid next size (fast) will occur

Comment 1 Fedora Update System 2016-05-08 10:27:29 UTC

libdwarf-20160507-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f36c5935e5

Comment 2 Fedora Update System 2016-05-09 00:55:06 UTC

libdwarf-20160507-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f36c5935e5

Comment 3 Fedora Update System 2016-05-12 16:13:14 UTC

libdwarf-20160507-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.